Nine practical warning signs that an ISO 22301-focused consultant may deliver something compliant on paper, but not something your business will actually use. Includes simple checks to help make sure your continuity work produces something the business can actually use when something goes wrong.
A lot of organisations assume that hiring an ISO 22301 specialist means they’re getting strong business continuity capability.
That isn’t always true.
ISO 22301 is a solid framework. It helps you build a Business Continuity Management System that meets a recognised standard (ISO 22301 consultant or ISO 22301 consulting support)
But it doesn’t guarantee that the plan will actually work when you need it.
And that’s the gap you see in practice.
The organisation has a plan. Sometimes a very detailed one.
But no one really knows how to use it. It’s too big, too detailed, and written to meet an audit rather than to help people respond to an incident.
So when something does go wrong, or even when you look closely at how it would work, it’s clear the system isn’t built for real use.
If most of the conversation is:
…but very little about what actually happens when something fails, you’re in the wrong place.
ISO defines requirements. It doesn’t tell you what actually happens when something breaks.
Check: Ask them to explain a real disruption in business terms, not ISO language.
If success is defined as:
you’ll probably get something that looks right… but isn’t much use when something actually goes wrong. (see what good business continuity consultancy should actually look like
A BCMS isn’t the output. It’s something the business should actually use.
Check: Ask what will be different when something goes wrong. If the answer is vague, that tells you a lot.
This is where things fall apart quickly.
You end up with:
So when something goes wrong, no one is clear what they’re supposed to do.
Check: Every output needs a named owner before the work is finished. Not “the business” — an actual person.
If what you’re getting is:
rather than:
then it’s been built for audit, not for real use.
It will review well. It won’t help much when something actually happens.
Classic one.
You get:
And no one ever uses it.
If it doesn’t help someone respond to an incident, it’s just admin. (see why traditional BIA often falls short)
Check: Ask who actually uses the BIA in practice. If there isn’t a clear answer, it’s a dead output.
You’ll sometimes see exercises where:
That’s not testing. That’s rehearsal.
If you’re not finding gaps that would matter in a real incident, you’re not doing it properly.
Check: Ask what changed after the last exercise. If the answer is “not much”, that tells you everything.
The system gets:
And then left with the business to “run”.
In reality, without structure and pressure, the plan quickly drifts and becomes something no one actually uses.
Check: Ask how this is going to be kept alive in practice. Not in theory. (see what a business continuity consultant should actually do during an engagement)
If continuity doesn’t connect to:
it stays abstract, so it doesn’t help when something actually fails.
And abstract work gets ignored.
Check: Ask how outputs link to actual business decisions. If they don’t, it won’t land.
This is the one that matters.
The plan exists. It’s been reviewed. It may even be “approved”.
But when you try to use it, it’s too big, too unclear, or just not practical in that moment.
It means the work sitting behind it isn’t something the business can actually use.
ISO 22301 is useful. It gives you a structure to work from.
But compliance and capability are not the same thing.
If the focus is on documents and audit, you’ll end up with something that exists…
…but doesn’t influence anything.
And you’ll only really notice that when something actually goes wrong — and the plan doesn’t help.
If you need ISO 22301 support, make sure you’re building something the business can actually use. See how our business continuity consultants approach delivery.